[Forwarding for posterity, since it looks like my previous attempt got
dropped. Again. --Roger]
----- Forwarded message from Roger Dingledine <arma at MIT.EDU> -----
Date: Tue, 3 Sep 2013 03:46:15 -0400
From: Roger Dingledine <arma at MIT.EDU>
To: tor-talk at lists.torproject.org
Cc: tor-reports at lists.torproject.org
Subject: [tor-talk] Roger's status report, August 2013
Six things I did in August 2013:
1) Wrote a security advisory for the "Old Tor Browser Bundles
vulnerable" issue:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
and then posted it to the blog and helped to manage the confusion there
(700+ comments!)
https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable
2) Attended FOCI and Usenix Security:
https://www.usenix.org/conference/foci13https://www.usenix.org/conference/usenixsecurity13
I mainly talked with grad students to help them understand Tor better
and focus more usefully on research questions. I also did a rump session
talk to summarize five "performance improvement" research directions
that look worth exploring.
3) Helped Karen, Nick, and Mike write a DRL funding proposal for more
core development and maintenance. If it works, this will be a two-year
grant to help with 1) turning more of the academic research prototype
pluggable transport designs into something clean that we can actually
give users; 2) better testing for the core "tor" program, including unit
tests, refactoring, and better use of our full network testing harness
named Chutney; and 3) build automation and a start at QA automation,
so we can have nightlies of everything, start automatically checking
for regressions, etc.
4) Released Tor 0.2.4.16-rc:
https://lists.torproject.org/pipermail/tor-talk/2013-August/029344.html
5) Helped Kelley and Mike write an RFA funding proposal to move TBB
3.0 development forward for the next year -- 1) identify and resolve
privacy and security issues in Firefox that impact TBB users, especially
with respect to the two upcoming new Firefox releases; 2) improve the
usability and functionality of the Firefox extensions that we include
with TBB; and 3) finish and extend our "reproducible build" design that
allows users to gain confidence that TBB includes exactly and only the
components we meant it to include.
6) Started to deal with the huge growth in Tor users that started
in mid-August. Current theory is that it's a botnet of some sort that
bundled a Tor 0.2.3 client. We'll need to do ongoing firefighting here.
-------------------------------------------------------------------------
Six smaller things I did in August 2013:
7) Attended the board-of-directors meeting, including continuing to
wrangle the budget side of things. We should have some funding for new
people to help work on the myriad sides of Tor development, but we're
not yet sure how much we can afford to spend (or at least I'm not),
so it seems wisest to figure that out first.
8) Helped Arlo get set up to replace our live "check" server:
https://trac.torproject.org/projects/tor/ticket/9529https://check2.torproject.org/
(Thanks Arlo!)
9) Agreed to do some more talks in the future:
Sept 2013, PLUG talk, http://www.phillylinux.org/meetings.html
Nov 2013, "Second Moscow International Forum for Innovative Development"
Jan 2014, NSF Watch, http://www.nsf.gov/cise/cns/watch/
10) Rewrote the FAQ entry on JavaScript and TBB:
https://www.torproject.org/docs/faq#TBBJavaScriptEnabled
11) Wrote an explanation for why I'm not too worried that the NSA might be
running Tor relays:
https://mailman.stanford.edu/pipermail/liberationtech/2013-August/010595.html
(It's not that I'm not worried. It's that I'm all full up on worry that
they watch links.)
12) Found time to write another monthly status report. I got off track
because I was trying to go through my inbox each month and answer mails
that I missed. I've given up on that :/ -- this mail is based only on
what I found in my outbox for August.
-------------------------------------------------------------------------
September 2013 goals include:
1) Continue dealing with fallout from the botnet. E.g. see
https://trac.torproject.org/projects/tor/ticket/9574
2) Finish and post my blog post motivating larger guard rotation periods,
and what to fix first:
https://trac.torproject.org/projects/tor/ticket/8240
3) Release 0.2.4.17-rc, and work on 0.2.4.x release notes so we can call
it stable.
4) Help Nick Hopper, our new research director, be more productive.
----- End forwarded message -----